[Bug 939829] New: nagios from server:monitoring breaks apache due to deprecated config files
http://bugzilla.suse.com/show_bug.cgi?id=939829 Bug ID: 939829 Summary: nagios from server:monitoring breaks apache due to deprecated config files Classification: openSUSE Product: openSUSE Factory Version: 201505* Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Apache Assignee: bnc-team-apache@forge.provo.novell.com Reporter: wagner-thomas@gmx.at QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On a fresh Tumbleweed installation I installed nagios from server:monitoring. Then I couldn't restart apache. Journalctl shows: Jul 29 11:01:18 tumbleweed start_apache2[9496]: AH00526: Syntax error on line 14 of /etc/apache2/conf.d/nagios.conf: Jul 29 11:01:18 tumbleweed start_apache2[9496]: Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration The reason: "Order" is from apache 2.2 but with tumbleweed apache 2.4 is shipped. According to http://httpd.apache.org/docs/2.4/upgrading.html two solutions for this probelm exist: 1) using "Require" instead of order for apache 2.4 2) mod_access_compat can be used. Solution 1) is IMHO the way to go. However it's incompatible with apache 2.2 and server:monitoring builds for lots of distributions. Is any of these still using apache 2.2? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829
http://bugzilla.suse.com/show_bug.cgi?id=939829#c1
Petr Gajdos
Solution 1) is IMHO the way to go. However it's incompatible with apache 2.2 and server:monitoring builds for lots of distributions. Is any of these still using apache 2.2?
Yes, there are, for example 13.1. But a patch can be applied depending for which distro is nagios building. Ideally, the old and new syntax should be used depending if access_compat module is loaded, see https://build.opensuse.org/package/view_file/devel:tools:scm/git/apache2-git... for example. Lars, it seems you are maintaining nagios, aren't you? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829
http://bugzilla.suse.com/show_bug.cgi?id=939829#c2
--- Comment #2 from Petr Gajdos
http://bugzilla.suse.com/show_bug.cgi?id=939829
http://bugzilla.suse.com/show_bug.cgi?id=939829#c3
--- Comment #3 from Thomas Wagner
Ideally, the old and new syntax should be used depending if access_compat module is loaded, see
https://build.opensuse.org/package/view_file/devel:tools:scm/git/apache2- gitweb.conf
How does this config file work with apache 2.2? IMHO
http://bugzilla.suse.com/show_bug.cgi?id=939829
http://bugzilla.suse.com/show_bug.cgi?id=939829#c4
--- Comment #4 from Petr Gajdos
https://build.opensuse.org/package/view_file/devel:tools:scm/git/apache2- gitweb.conf
How does this config file work with apache 2.2? IMHO
would resolve to "True" and the "Require" part is included in apache 2.2 instead of the "Order/Allow" part.
Correct, this conf file is not intended for 2.2 at all. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829
http://bugzilla.suse.com/show_bug.cgi?id=939829#c5
Lars Vogdt
http://bugzilla.suse.com/show_bug.cgi?id=939829
http://bugzilla.suse.com/show_bug.cgi?id=939829#c6
Thomas Wagner
@Thomas: can you please test if the latest nagios package works for you? Just did two test, one on latest tumbleweed and one on openSUSE 13.1. The tumbleweed installation does work, however the nagios webfrontend is now broken on openSUSE 13.1. On openSUSE 13.1, I get a 403 (access denied) from apache when accessing http://localhost/nagios
I had to manually replace the "Require all granted" with the old "Order/Allow" syntax to make nagios' webfrontend accessible again. Below I pasted the "zypper info" (without the long description) to show which versions of nagios an apache I used. # zypper info nagios Loading repository data... Reading installed packages... Information for package nagios: ------------------------------- Repository: server:monitoring Name: nagios Version: 4.1.0-2.1 Arch: x86_64 Vendor: obs://build.opensuse.org/server:monitoring Installed: Yes Status: up-to-date Installed Size: 976.0 KiB Summary: The Nagios Network Monitor # zypper info apache2 Loading repository data... Reading installed packages... Information for package apache2: -------------------------------- Repository: openSUSE-13.1-Update Name: apache2 Version: 2.4.6-6.47.1 Arch: x86_64 Vendor: openSUSE Installed: Yes Status: up-to-date Installed Size: 3.5 MiB Summary: The Apache Web Server Version 2.2 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829
http://bugzilla.suse.com/show_bug.cgi?id=939829#c8
--- Comment #8 from Petr Gajdos
This happens if your are using mod_access_compat. When that is enabled, you *must* use the 2.2 syntax and you'll get a 403 if trying to use the 2.4
*Generally*, that is not exactly true as far as I know. If both authz_core and access_compat are loaded, you can use either system you want.
Require ... syntax. It might work to use both at once but that gets confusing (and possibly undefined if they conflict!).
You can even use both of them together, but the result has to be consistent, that is: access is allowed if both systems allow. If at least one forbids, access is forbidden. See 881506 comment 18.
Because of this, relying on a version check is insufficient, as 2.4
Yes, thats true (because of access_compat), nevertheless ..
w/mod_access_compat behaves like 2.2. Adding wrappers like <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule>
Require all granted </IfModule>
.. whether this will work depends also on which syntax is used previously. If mod_access is loaded but new syntax forbid into this dir, this won't work. Also note that access_compat is not present in sle11. So I would disclaim my comment 1 for distros older than Tumbleweed.
e.g. default-server.conf. I would suggest backporting the fix to 13.1/13.2, but that's beyond the scope of this bug, and the other one is closed, so ???
In my opinion, this is too invasive change to backport, I am afraid. The situation on newly installed distros (not upgrades!) is as follows: sle11 no access_compat httpd.conf (Deny for /): old syntax 13.1 access_compat static httpd.conf (Deny for /): new syntax 13.2 access_compat static httpd.conf (Deny for /): new syntax Tumbleweed access_compat shared, not loaded by default httpd.conf (Deny for /): old syntax when access_compat loaded, new syntax otherwise So everywhere in supported openSUSEs we can assume that new syntax should be preferred. I tend to agree with Lars to use upstream solution. Currently I do not se a way to catch all possibilities. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com